Professional Documents
Culture Documents
The Privacy Commission: A Complete Examination of Privacy Protection
The Privacy Commission: A Complete Examination of Privacy Protection
HEARING
BEFORE THE
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
(
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00001 Fmt 5011 Sfmt 5011 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, JR., West Virginia
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. MCHUGH, New York EDOLPHUS TOWNS, New York
STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York
DAVID M. MCINTOSH, Indiana ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania
STEVEN C. LATOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
MARSHALL MARK SANFORD, South DENNIS J. KUCINICH, Ohio
Carolina ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia DANNY K. DAVIS, Illinois
DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas JIM TURNER, Texas
LEE TERRY, Nebraska THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois HAROLD E. FORD, JR., Tennessee
GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California
PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont
HELEN CHENOWETH-HAGE, Idaho (Independent)
DAVID VITTER, Louisiana
EX OFFICIO
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. RUSSELL GEORGE, Staff Director and Chief Counsel
HEATHER BAILEY, Professional Staff Member
BRYAN SISK, Clerk
MICHELLE ASH, Minority Counsel
(II)
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00002 Fmt 5904 Sfmt 5904 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
CONTENTS
Page
Hearing held on April 12, 2000 .............................................................................. 1
Statement of:
Cate, Professor Fred, professor of law and Harry T. Ice faculty fellow,
Indiana University School of Law, Bloomington; Travis Plunkett, legis-
lative director, Consumer Federation of America; Ari Schwartz, policy
analyst, Center for Democracy and Technology; and Sandra Parker,
esquire, director of government affairs and health policy, Maine Hos-
pital Association ............................................................................................ 60
Twentyman, Sallie, victim of credit card theft; Robert Douglas, private
investigator; and Paul Appelbaum, M.D., chairman, Department of Psy-
chiatry, director, Law and Psychiatry Program, University of Massa-
chusetts Medical School ................................................................................ 14
Letters, statements, etc., submitted for the record by:
Appelbaum, Paul, M.D., chairman, Department of Psychiatry, director,
Law and Psychiatry Program, University of Massachusetts Medical
School, prepared statement of the American Psychiatric Association ...... 47
Cate, Professor Fred, professor of law and Harry T. Ice faculty fellow,
Indiana University School of Law, Bloomington, prepared statement
of ..................................................................................................................... 62
Douglas, Robert, private investigator, prepared statement of ...................... 26
Horn, Hon. Stephen, a Representative in Congress from the State of
California, prepared statement of ................................................................ 3
Hutchinson, Hon. Asa, a Representative in Congress from the State of
Arizona, prepared statement of ................................................................... 7
Parker, Sandra, esquire, director of government affairs and health policy,
Maine Hospital Association, prepared statement of .................................. 106
Plunkett, Travis, legislative director, Consumer Federation of America,
prepared statement of ................................................................................... 75
Schwartz, Ari, policy analyst, Center for Democracy and Technology,
prepared statement of ................................................................................... 87
Turner, Hon. Jim, a Representative in Congress from the State of Texas,
prepared statement of ................................................................................... 12
Twentyman, Sallie, victim of credit card theft, prepared statement of ....... 17
(III)
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00003 Fmt 5904 Sfmt 5904 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00004 Fmt 5904 Sfmt 5904 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
THE PRIVACY COMMISSION: A COMPLETE
EXAMINATION OF PRIVACY PROTECTION
HOUSE OF REPRESENTATIVES,
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
INFORMATION, AND TECHNOLOGY,
COMMITTEE ON GOVERNMENT REFORM,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in room
2247, Rayburn House Office Building, Hon. Stephen Horn (chair-
man of the subcommittee) presiding.
Present: Representatives Horn and Turner.
Also present: Representatives Hutchinson and Moran of Virginia.
Staff present: J. Russell George, staff director and chief counsel;
Heather Bailey, professional staff member; Bonnie Heald, director
of communications; Bryan Sisk, clerk; Ryan McKee, staff assistant;
Michael Soon, intern; Kristin Amerling, minority deputy chief coun-
sel; Michelle Ash and Trey Henderson, minority counsels; and Jean
Gosa, minority assistant clerk.
Mr. HORN. A quorum being present, the hearing of the Sub-
committee on Government Management, Information, and Tech-
nology will come to order.
The first Federal Privacy Commission was established in 1977 to
examine a similar issue to that being addressed today: How can
private information be protected while allowing public access to in-
formation that can benefit society?
Today, a few keystrokes on a computer can produce a quantity
of information that was unimaginable in 1974. From e-mail and e-
commerce to e-government, technology has simplified the way peo-
ple communicate, shop, and file their income tax returns.
Last year, for example, more than 17 million people spent $20
billion for on-line purchases. At a subcommittee hearing on Mon-
day, IRS Commissioner Charles Rossotti testified that as of March
31, nearly 21 million people had filed their tax returns electroni-
cally this year, a 16 percent increase over the same period last
year.
The downside of these technological advances is that a vast
amount of personal information now flows over the Internet, and
all too often, citizens are being victimized. Today names, addresses,
Social Security numbers, and credit reports, as well as other per-
sonal information, can be bought by nearly anyone who is willing
to pay the going rate.
(1)
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00005 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
2
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00006 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
3
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00007 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
4
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00008 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
5
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00009 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
6
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00010 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
7
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00011 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
8
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00012 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
9
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00013 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
10
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00014 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
11
Mr. HORN. The gentleman from Texas, the ranking member, Mr.
Turner.
Mr. TURNER. Thank you, Mr. Chairman. I want to commend Mr.
Hutchinson and Mr. Moran for their work on this legislation. It is
one of the most important issues that we face. As you mentioned,
Mr. Hutchinson, the polls clearly indicate that privacy is one of the
top concerns of the American people.
I was pleased to join with you as a cosponsor of this bill because
I think the commission will create a high profile for the issue and
enable us to have a full and open discussion with the American
people about these issues so that we can resolve them in the appro-
priate way.
I was very pleased to hear your comments about your intent with
regard to the commission was not to impede the progress of other
legislation that we may achieve a bipartisan consensus on during
the time that the commission is working. I think the commission
can be a sounding board for a lot of those proposals. I know there
are regulations at HHS pending on medical privacy. I hope that the
commission would not impede those regulations, but also provide a
sounding board for those regulations, because some of these privacy
issues need to be dealt with right away. So if we find a consensus
on it, and if the agencies are finding their way to protecting our
privacy as HHS is trying to do with the medical regulations, I
think the American people deserve those protections as soon as
possible.
The commission not only can provide a sounding board for the
proposals that are out there and for actions that may be taken over
the next 18 months, but at the end of the day, hopefully can come
up with an overall recommendation in these various areas that rep-
resent a true consensus to protect the privacy of the American peo-
ple.
So I commend you, and I welcome our witnesses here today. We
look forward to working on this bill and making it everything that
I think the authors intend for it to be.
Thank you, Mr. Chairman.
Mr. HORN. Thank you very much.
[The prepared statement of Hon. Jim Turner follows:]
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00015 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
12
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00016 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
13
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00017 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
14
Mr. HORN. We will now begin with the first panel. We will start
with Ms. Sallie Twentyman, who is the victim of credit card theft.
Tell us about it.
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00018 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
15
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00019 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
16
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00020 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
17
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00021 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
18
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00022 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
19
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00023 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
20
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00024 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
21
Mr. HORN. Well, thank you for your story. I think it must make
every one of us behind this podium and everyone in the seats out
there that you just feel like you have been violated, and your whole
person is in somebody elses hand and control.
I am going to ask one or two questions now, and then wewe
dont want to waste the talent here, and we will do all of them
afterwards. But you mentioned the Secret Service. Did you go to
the FBI?
Ms. TWENTYMAN. I left a message and was never called back.
Mr. HORN. They never contacted you?
Ms. TWENTYMAN. I think I left two. I never heard back. The Se-
cret Service I did hear from. They asked for some information. I
faxed it, but I never heard back. I realize I could have called and
really aggressively tried to get, tried harder, but I didnt. I mean,
I felt like they knew.
Mr. HORN. Did you contact your own Member of Congress?
Ms. TWENTYMAN. Sitting right over there, I did e-mail him about
this.
Mr. HORN. He is the kind of person that gets something done.
Ms. TWENTYMAN. That is right.
Mr. HORN. OK.
Ms. TWENTYMAN. He catches his car thieves, too.
Mr. HORN. I had a problem like that when a few Federal agen-
cies wouldnt move, we just went right to the top, and believe me,
they got a little dynamite stick under them and started moving.
But that is another story.
Ms. TWENTYMAN. I think part of this is I wanted to also see the
citizensthings seem to be winding down. I have been very
proactive. I need to observe what is going on, because every citizen
does notI know my parents would not have been extremely asser-
tive. I am just so thankful it is me instead of them and some peo-
ple.
Mr. HORN. Well, thank you. Stay with us, and we will have some
more questions as we finish this panel.
Mr. Robert Douglas is a private investigator. We are glad to have
you here.
Mr. DOUGLAS. Thank you, Mr. Chairman. My name is Robert
Douglas, and I am the founder of American Privacy Consultants.
I appreciate the opportunity to appear before you in support of
the creation of a privacy commission and to state my belief that a
comprehensive review of current privacy law and the formulation
of a privacy plan for the 21st century are important and long over-
due.
Prior to founding APC, I was a Washington, DC, private detec-
tive. In 1997, I began investigating the practice of information bro-
kers selling personal financial information. I brought the results of
that investigation here to Congress, and I would note in part of
that testimony, which I have appended to my statement this morn-
ing, I addressed specifically the situation that happened to Ms.
Twentyman where her maiden name and birth date records were
changed within a financial institution, and I know the techniques
that are used to do that, and it happens thousands of times a year
around this country.
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00025 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
22
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00026 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
23
The sale of credit headers is the starting point for many forms
of identity theft as it gives the identity thief all of the biographical
information necessary to impersonate the true owner of the infor-
mation. This ability to then impersonate the true owner opens up
access to all forms of personal information sought by the identity
thief. Congress should extend the same permissible purposes test
currently in place for the access to credit data under the Fair Cred-
it Reporting Act to the biographical data included in the credit
header, which is now exempted under current interpretations of
the FCRA.
The next chart demonstrates another company called Strategic
Data Services, and again, we see the sale of Social Security num-
bers, employment information, dates of birth, drivers license, but
added to this we see where they will sell the physical address that
goes to a post office box owner, something to someone who has a
civil protection order, is trying to stay away from a stalker or a
harasser, is terrifying to them, because they will reach out and get
and pay extra for a private P.O. box specifically to hide their phys-
ical address, and yet here we have hundreds of Web sites selling
it. The P.O. boxs postal regulations recognize few exceptions for ob-
taining the corresponding physical address, yet here we see it for
sale on the Internet.
The next category shows the sale of driver and vehicle searches,
general doc search. Included in the list are the sale of names and
addresses associated with a license plate and the sale of a specific
drivers license number. So if I see your license plate on your car
on the street, and I want to find out who you are and where you
live, I can buy that information.
The following Web page shows the specific driver history records
by name, and I would note that many Americans believe that the
passage of the Drivers Privacy Protection Act, which I am aware
Senator Shelby just held hearings on, I believe, last week, looking
to reinforce that act and strengthen it, but I am afraid he missed
what I am about to talk about here many Americans believed
would stop the sale of this type of information. However, the act
allowed an exemption for private investigators. Unfortunately, al-
though there are thousands and thousands of very lawful and up-
standing private investigators in this country, there are a number
of information brokers who are also private investigators or who
have established relationships with private investigators that are
subsequently accessing this information and selling it to almost
anyone who submits a request on the Internet.
The next page shows telephone searches, and this is an area that
I am not aware that anyone in Congress has looked at to this date.
One can see from the listing that any phone number can be traced
back to its owner. Whether or not the individual owner has taken
steps to protect their privacy by again paying extra for an unlisted
or nonpublished phone number, it doesnt matter. It doesnt protect
you one iota. Again, we have a page demonstrating exactly the sale
of nonpublished phone number information.
Again, another page demonstrating all of the other types of
phone searches on another Web page, and I will try to move along
here for you. But on that one it is very important to note that, in
addition to being able to find the ownership site for selling the ac-
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00027 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
24
tual long-distance toll call records. In other words, you can pur-
chase the long-distance phone records, including the number called,
the date, time, and duration of the call. This is actually used in
economic espionage, business espionage, on a fairly regular basis in
this country.
The next page is, again, financial searches. We can see that even
though Gramm-Leach-Bliley was passed last November 12 and
signed by President Clinton, that both personal and corporate, pri-
vate financial information continues to be sold on hundreds of Web
sites on the Web. I have documented the specific bank account
search here, and there is one portion in the description that I have
bolded and underlined that should be alarming to this committee
and to Congress, and that is this individual, whose name is Daniel
Cohen and operates Docusearch, is claiming that he is accessing a
Federal database. The article from Forbes Magazine that I have
appended as appendix 1, he goes further in that article and claims
he is getting it from the Federal Reserve.
As I pointed out in my speech to the FDIC about 2 weeks ago,
I believe that to be a total falsehood. There is no such database
with the Federal Reserve. But these are the types of lies these peo-
ple are telling, even on the Internet, even to reporters like the re-
porter from Forbes and to our American citizens, which are making
our citizens answer the question that Congressman Hutchinson
found when he traveled to his district, and I am sure Congressman
Moran and others, into believing that they have no longer any fi-
nancial privacy in this country. They are actually stealing this in-
formation through impersonation, but are claiming to our citizens
that they have lawful access via Federal databases, and I would
hope that that would be of concern to this committee.
The final page is a credit card activity page. To sum that one up,
there are dozens of Web sites you can go on where I could buy Ms.
Twentymans actual credit card activity, where she had her dinner,
what presents she bought for her family at Christmastime, right
down to the individual transactions.
The examples I have provided today demonstrate that a vast and
varied amount of personal information is available on the Internet.
These examples are just several of thousands available. I have pro-
vided committee staff with hundreds of other Web page examples
of information being advertised and sold on the Internet, and with-
out saying his or her name, because they asked me not to, I dem-
onstrated to your staff, Chairman Horn, the other day that with
one phone call, and I think that person could tell you that, in about
3 minutes I got a phone call back, and I knew her Social Security
number and her address. And I have with me a complete report of
that individual that I will show them later on today.
If H.R. 4049 passes, and it should, I will do all I can to assist
the privacy commission or any committee of Congress to under-
stand and weed out the methods currently being used and devel-
oped to access our fellow citizens personal and private information.
In conclusion, and I apologize for running so long, the time is
ripe to have a privacy commission with broad-based authority to
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00028 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
25
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00029 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
26
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00030 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
27
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00031 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
28
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00032 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
29
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00033 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
30
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00034 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
31
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00035 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
32
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00036 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
33
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00037 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
34
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00038 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
35
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00039 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
36
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00040 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
37
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00041 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
38
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00042 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
39
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00043 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
40
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00044 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
41
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00045 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
42
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00046 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
43
Mr. HORN. Well, we thank you a lot, because you have just done
a terrific job of taking us through how easy it is to have this hap-
pen, and we are indebted to you in terms of the excellent informa-
tion you provided. I take it you have not ever been filing for Social
Security numbers and anything like that. When did you get into
this?
Mr. DOUGLAS. I came across it while I was working as an active
private investigator in Washington, DC, and started to note that
more and more information brokers were advertising in the PI
trade magazines, and then relatively blatantly on the Internet. I
did attend law school. I had some sense that this could not quite
be right, some of the information that they were selling, and I
began calling literally dozens of them and actually contracted with
a few to find out what types of information they were able to ob-
tain.
Through the course of developingand they will lie blatantly
even to other private investigators, reporters, Members of Congress
who have talked to them and claim all types ofyou know, it is
proprietary databases that we have, investigative sources. And
there are certain key phrases that you can find on these Web pages
that I could demonstrate to the committee or others, indicate that
they are not getting the information legally.
Any time they claimon the page where they claim they are get-
ting it from a Federal database, well, gee, they are getting it from
a Federal database, but on the same page it tells them it takes 18
days to get it. So the reason it takes 10 to 18 days is because what
they are doing and what has happened to Mrs. Twentyman is they
will buy your credit information, they will then in her case get
someone in their office who is female and approximately her age
to start calling her bank and calling whatever, the phone company,
utility companies, whoever they want to obtain information from
and impersonate her, and they now have her name, her date of
birth, her address, her Social Security number, and with that infor-
mation, you can get almost anything, includingand I dem-
onstrated this to Chairman Leach 2 years ago in the Banking Com-
mittee. What they do, the way they changed her date of birth and
her mothers maiden namemany banks use the mothers maiden
name as the password to gain access. I have been advising banks
for several years now to change that, and the OCC letter that was
put out following my testimony also advised them to go from the
maiden name to a PIN number.
Mr. HORN. Explain OCC.
Mr. DOUGLAS. The Office of the Comptroller of the Currency, one
of the regulatory bodies overseeing our financial institutions. They
put out an advisory letter in the fall of 1998 following my testi-
mony advising them to change that, for the very reason as to what
happened to Ms. Twentyman, because here is how it is done. If I
want to change youreven your password, I call the bank, and I
claim to be Mr. Horn, and I have the biographical data, but maybe
I dont have the mothers maiden name. I say, gee, I am on the
road, I need to get some information off my checking statement. I
am afraid I have a check that is going to bounce. I am out of town.
I have to take care of this today. I dont have my checkbook with
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00047 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
44
me, sometimes they dont have the account number, can you help
me.
Well, because in fairness to the banks, they are in the customer
service businessand this applies to any other institution, not just
financial institutions. They are in the customer service business,
they want to be helpful, they are trained to be helpful. So if you
have enough data, date of birth, Social Security number, you start
to sound real to them. If you have a good enough pretext, as we
call it in the industry, falsehood, fraud, and you sound nice enough
on the phone, you start to convince them.
Now we get to the tricky question of mothers maiden name. I
will say Smith. And the person will say, well, I am sorry, Mr. Horn,
that is not what we have here on the account. And excuse me, but
the response would be, well, goddamnit, who are you to have the
wrong information? I know what my mothers maiden name is. I
want a supervisor on the phone right now, or I am pulling my ac-
count out of this bank today. Well, hang on, hang on, Mr. Horn,
I am sure we can work this out. They eventually convince them
that somebody on their end has made a mistake, and then they
change Ms. Twentymans information so that now she cannot even
access her own information, but I can.
That is how it is done. It is done dozens of times, if not hundreds
of times a day around this country.
Mr. HORN. Well, thank you.
Our last witness on this panel is Dr. Paul Appelbaum, the Chair-
man of the Department of Psychiatry and Director of the Law and
Psychiatry program for the University of Massachusetts Medical
School. Thank you for coming.
Mr. APPELBAUM. Thank you, Mr. Chairman. I am Paul
Appelbaum, M.D., vice president of the American Psychiatric Asso-
ciation, a medical specialty society representing more than 40,000
psychiatric physicians nationwide. My work treating patients, the
empirical studies that I have conducted on medical records privacy,
as well as my work consulting with State legislatures, State health
agencies, and the U.S. Secret Service have given me a broad per-
spective on medical privacy issues. Thank you for the opportunity
to testify today.
Just a month ago, a leading computer magazine proclaimed in its
cover story, we know everything about you. Privacy is dead. Get
used to it. I greatly appreciate Representative Hutchinsons and
Morans efforts, as well as the subcommittees interest, in remedy-
ing this loss of privacy.
I focus my comments today on the importance of protecting doc-
tor-patient confidentiality. The level of privacy enjoyed by patients
has eroded dramatically, and physicians are often hampered in our
ability to provide the highest quality medical care as a result. We
have a 21st century health care delivery system, but patients are
forced to live with privacy protections designed for the time of
Marcus Welby, M.D.
I note for your consideration several examples of todays health
privacy crisis. A study by professors at UMass, Harvard, and Stan-
ford revealed over 200 cases where patients at risk for genetic dis-
orders had been harmed by disclosures of medical record informa-
tion. Patients often forego insurance coverage to maintain their pri-
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00048 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
45
vacy. I treated a skilled tradesman for 212 years who worked over-
time to pay for his treatment because he didnt want his union,
which administered his insurance plan, to know that he was receiv-
ing psychiatric care. Members of Congress have seen highly per-
sonal disclosures about their medical conditions, some true, some
untrue. In one case, a major daily newspaper splashed headlines
about a Members mental health condition only days before the
Members primary. The San Diego Tribune reported that a phar-
macy inappropriately disclosed a mans HIV status to his ex-wife,
and the woman was able to use that information in a custody dis-
pute.
The Federal Governments appetite for identifiable patient infor-
mation continues to grow. Witness last years efforts by HCFA to
collect highly personal information in its Oasis program, an effort
that they were ultimately compelled, at least partially, to back
down from, and how it grows the potential for abuse of this infor-
mation.
It is critically important to realize that privacy is not only a
value in and of itself, it is an essential component of providing the
highest quality medical care. Some patients refrain from seeking
medical care or drop out of treatment in order to avoid any risk of
disclosure of their records. Others simply will not provide the full
information necessary for successful treatment, and we know this
from a Louis Harris poll that this is a widespread behavior in our
society today.
Patients ask us not to include certain information in their medi-
cal record for fear that it will be indiscriminately used or disclosed.
As a result, more patients do not receive needed care, and the med-
ical records data themselves that we need for many purposes are
inaccurate and tainted.
We need a high level of confidentiality protection for all medical
records so that all patients receive the privacy necessary for high-
quality care. Communicable diseases, mental illness and substance
abuse, sexual assault histories, cancer, reproductive and womens
health issues, as well as many other conditions may be highly sen-
sitive for patients, and information about these conditions is un-
likely to be revealed without assurances that the privacy that ex-
ists in the doctor-patient relationship will be maintained.
We believe that many medical privacy proposals before the Con-
gress as well as the regulations being proposed by the Department
of Health and Human Services, need to incorporate additional med-
ical privacy protections. The most significant action that Members
of this subcommittee can take today to protect medical records pri-
vacy would be to contact HHS to express your belief that additional
privacy protections should be included in HHSs final regulations,
and to conduct hearings on their proposal.
The American Psychiatric Association is very encouraged by Rep-
resentative Hutchinsons and Morans privacy commission legisla-
tion. Particularly important, in our view, is to focus this proposal
on increasing public awareness of the need for additional actions
to protect privacy, as well as the actions that citizens can already
take to protect their own privacy; working on neglected areas of
privacy policy, including the adequacy of privacy protection for em-
ployeesmany employers have widespread access to their employ-
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00049 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
46
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00050 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
47
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00051 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
48
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00052 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
49
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00053 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
50
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00054 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
51
Mr. HORN. We are now going to question this panel and we will
do it in 5-minute segments, alternating between majority and mi-
nority.
Does Mr. Turner want to yield to Mr. Moran, or would you like
to start?
Mr. TURNER. I yield to Mr. Moran of Virginia.
Mr. MORAN OF VIRGINIA. Well, thank you, my friend, and thank
you, Mr. Chairman, my friend as well. This was very good testi-
mony, and I particularly appreciate my constituent, Ms.
Twentyman, to come forward and tell us what happened to you. I
know that it is somewhat embarrassing, but I am glad that you
have taken the initiative. As you say, I dont know that your moth-
ers generation would be willing to, but you have stepped forward,
and I appreciate it.
It is just such a constituent that initiated the Drivers Privacy
Protection Act. It was a woman who went to a health center to get
advice, she had just had a miscarriage, and by the time she got
home, she drove home, she lived in northern Virginia, there was
a group picketing on her front lawn because they assumed that she
had had an abortion, because that health clinic had also offered a
full range of services to women. In addition to beingthe irony of
it and being distraught, she just couldnt imagine how they had
known where she lived, and we found out that what they had done
was simply write down the license numbers of the cars and the tag
numbers and went to the State Division of Motor Vehicles that was
in Alexandria and got the addresses, the names of everyone that
had parked in that lot, and that just didnt seem right.
The State was collecting $5 for every individual piece of informa-
tion, direct marketing organizations, of course, were paying more.
We found out that there were a number of organizations that were
determined to continue that practice because they made a lot of
money off of it, and most protective of that practice was the States.
They were making millions, as Mr. Douglas has indicated. But the
detectives particularly wanted to be exempted. We exempted them,
and I know the newspapers and publishers associations want to be
exempted. I dont think the conference report finally exempted
them, but they thought it was also a great idea to be able to access
this information.
So we are vulnerable. But it would seem, and I know Asa feels
just as strongly, and I suspect my friend Mr. Horn and Mr. Turner
do as well, that we should not try to impose a type of cookie cutter
approach from the public sector if there is a way that the private
sector can regulate itself. There does seem to be a number of initia-
tives being attempted that would enable you to do that.
I guess I would like to solicit from the three of you, if you have
seen ways in which your situation, Ms. Twentyman, could have
been avoided, or you could have been protected. Mr. Douglas, this
information you give us is just astounding, the access that people
can get to our information, and then can shut us off from even get-
ting our own information. Dr. Appelbaum, you have obviously ex-
plored this very extensively as well.
Do you see efforts in the private sector developing that are able
to self-regulate, or at least give people an option to keep their infor-
mation private? What we did with the Drivers License Privacy
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00055 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
52
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00056 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
53
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00057 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
54
and they want to know your address and they want to know infor-
mation.
Mr. DOUGLAS. Radio Shack, yes.
Mr. HUTCHINSON. Your natural inclination, in the South we are
particularly friendly, we just give them what they ask, we are ac-
commodating. Of course, the dissemination of that information is
a concern.
But in reference to Social Security numbers, clearly, they are
being used far beyond what was originally intended. What impact
does that have on the dissemination of personal information?
Mr. DOUGLAS. It is the single biggest impact. It has become the
national identifier, although the American people were told it
would not be, and I think that is one of the reasons you see cyni-
cism around the country and the concerns with privacy around the
country that you talked about in your opening statement this
morning when you were back in your district. Because people are
aware of this, and they do know thatthey are told on the one
hand, dont provide that, you dont need to provide that, yet at last
count I think 23 of the States in this Nation for the drivers license
number use the Social Security number.
So even if you provide your drivers license number, and we have
all done this, especially if we live locally, Virginia has it, although
again you can opt out of that process, but again how many do; the
District uses it, that the clerk will record that on the back of the
check.
Many people, such as Ms. Twentyman, who end up as identity
theft victims, need to remember there are 400,000 cases a year by
the Secret Services statistics, not some privacy whacko group; the
Federal Government, recognizes 400,000 cases a year of identity
theft in this country, that begin in just such a fashion, with infor-
mation that is put down for purposes that is of questionable use.
But yet, if you go in there, Mr. Hutchinson, and tell them well, no,
I have been taught that I dont need to give that, in many cases
they wont complete the transaction with you, even though that is
not necessary for the transaction by any stretch of the imagination.
So the Social Security number problem is the most frequent
question I get when I talk to people on the Hill, and it is a very
complex one, because it is so ingrained in so many systems around
the country, and because it has become the default national identi-
fier to tomorrow, say, well, for Congress to outlaw it, that somehow
tomorrow it would crash the economy of this country.
Mr. HUTCHINSON. You are saying that if we outlawed the use of
Social Security numbers beyond the original intent, which is I
guess you give it to your employer so that you can make sure you
get credit for your FICA taxes that are paid.
Mr. DOUGLAS. Correct.
Mr. HUTCHINSON. If we outlawed it beyond that limited use,
what impact would that have?
Mr. DOUGLAS. I am sure you would hear loud and clear from the
business communities that so many are using that as the national
identifier, how will they now identify individual transactions that
go through. That has become the national identifier. Every busi-
ness in America that keeps information on our citizens and, you
know, very valid reasons, whether it be medical records, financial
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00058 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
55
records, the things that make our economy hum, to identify us use
the Social Security number.
Mr. HUTCHINSON. There is benefit to consumers for that as well.
Mr. DOUGLAS. Absolutely. That is one thing, and I touch on it a
little bit more in my full statement. We need to be very careful,
and that is why I wholly support this approach that is presented
here today, because the piecemeal approach of legislation could be
very dangerous.
I think there needs to bewe need to take a deep breath.
Gramm-Leach-Bliley just passed, the DPPA is just starting to kick
in; I am not as familiar with the medical area, but it is just start-
ing to kick in. We need to step back and take this 18-month look
at, first of all, how do some of those provisions that are out there
kick in, what effects do they have, and to find a comprehensive way
to deal with that. Because to just take a rash approach tomorrow
because of concerns I think would have a serious impact on the
business community.
Mr. HUTCHINSON. Thank you. Do I have any time left, or is it
gone?
Mr. HORN. Sure.
Mr. DOUGLAS. My fault. I am so long-winded.
Mr. HUTCHINSON. Let me just ask one more question if I might
which follows up on that.
Dr. Appelbaum, you mentioned that one thing the commission
could do is to increase public awareness. If you would just sort of
elaborate on that a little bit, particularly in the area of medical
records. We have a limited amount of protection now, but there are
some things that consumers can do to protect to a greater extent
their own information; is that correct?
Mr. APPELBAUM. There is, yes. There are a number of such steps
that they can take, of which most people are unaware. An increas-
ing number of States, for example, give patients the right to access
their own medical records and to make corrections to those records
if errors are found, before the records are widely disseminated, po-
tentially, to their disadvantage. Most people dont know that. There
are institutions such as the Medical Information Bureau in my
home State of Massachusetts which collects medical-related infor-
mation for the insurance industry, and similarly will allow individ-
uals to find out, not easily, but to find out the information that is
being kept in their files, and correct it, and most people are un-
aware of that as well.
Mr. HUTCHINSON. Let me interrupt, because I want to yield back
my time, but the commission I think is important, that if you con-
duct hearings across the country, you engage in getting information
of the problems that are out there, but also educating the public
as to things that they can do themselves to protect privacy, and I
think that is very important.
Mr. Chairman, thank you for your leniency, and I yield back.
Mr. HORN. I thank the gentleman and I now yield to the ranking
member, Mr. Turner, the gentleman from Texas.
Mr. TURNER. Thank you, Mr. Chairman.
Ms. Twentyman, I want to thank you for your testimony. It has
been very enlightening to understand what you have gone through.
I notice you mentioned in one part of your testimony that you had
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00059 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
56
$13,000, I believe it was, in one credit card account alone that was
taken?
Ms. TWENTYMAN. Just in 3 or 4 days.
Mr. TURNER. In 3 or 4 days.
Ms. TWENTYMAN. Right.
Mr. TURNER. You mentioned, I think, later in your testimony
that you havent personally been held accountable for any of these
balances. These credit card companies, do they have some kind of
protection for you as a credit card holder that ensures that you
dont have to pay when somebody steals from your credit card ac-
count?
Ms. TWENTYMAN. I dont know whether it is insurance or what,
but all of them have, as soon as I report it, they take it off my ac-
count and tell me I am no longer responsible for it. I am not sure
with their bookkeeping what they do with that money, but fortu-
nately I havent had to repay any of it.
Mr. TURNER. Mr. Douglas, have you had any experience with
that? Do these credit card companies just routinely insure against
theft?
Mr. DOUGLAS. Yes, sir. The consumer is only liable in theory for
$50, if they make prompt notification, to the credit card company
and most credit card companies will even waive that $50 on behalf
of the customer in order to hold on to the customer.
The thing that should be noted on this, although the customer
is not losing out, the business is. And they are not necessarily in-
sured, they are self-insured in this area. Current statistics show
that on Internet transactions, and only 1 percent currently over the
last Christmas season, only 1 percent of purchases were made by
the Internet, 25 to 35 percent of credit card transactions currently
made on the Internet are fraudulent, and the people picking up the
tab on that are the Internet companies. They lose out. They end
up biting the bullet on that. So again, if that area is not addressed,
it will be a strain on the advance of the Internet economy.
Mr. TURNER. What kind of enforcement ability do we have to con-
trol this? It seems to me law enforcement is totally ill-equipped to
deal with any of this.
Mr. DOUGLAS. I think currently they are. I think they are scram-
bling quickly to catch up. I know the Washington Post has docu-
mented just within the last week some efforts on behalf of the FBI
to get up to speed in some of these areas, but as in many areas
of crime, the thieves are often far ahead. It should be noted, an
awful lot of that, especially in the Internet transaction area, is oc-
curring overseas where we have no enforcement jurisdiction. So
many of the software packages that are being developed for Inter-
net businesses, I-businesses, in order to preclude fraudulent trans-
actions are totally ruling out any transaction from overseas.
Mr. TURNER. When you said 25 percent of the e-commerce trans-
actions are fraudulent, you are talking about purchases?
Mr. DOUGLAS. That is correct.
Mr. TURNER. With use of a credit card?
Mr. DOUGLAS. Right. Somebody claiming to be Mr. Turner to buy
a pair of Nikes is not Mr. Turner, but somebody else. We have all
seen when you have gone to a Web site and ordered that you can
have it delivered to another address. That is what they will do,
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00060 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
57
they will put in the credit card information and have it delivered
to another address, which is often a vacant home or they are in ca-
hoots with somebody else.
Mr. TURNER. What is the source of that 25 percent figure? Who
compiles that kind of information?
Mr. DOUGLAS. You will see that in almost any of the Internet
commerce magazines that are tracking this information.
Mr. TURNER. What is the track record with regard to theft from
bank accounts? Of course I dont mean just Internet banking, but
theft from bank accounts of individuals? Do we have any compila-
tion of totals or is that a very common thing?
Mr. DOUGLAS. I dont have any compilations of totals. When you
deal with the identity theft that I have talked about, which is pre-
text, it is very hard to track, because often it is done and the per-
son doesnt know how it is done; just as Ms. Twentyman said, they
never have caught the person. So a lot of people dont report, a lot
of people are embarrassed about it, and I am sorry to say that our
most fragile and under protected citizenry in this country is senior
citizens who this happens to quite regularly.
A lot of this is done over the phone. I have talked about methods
that are used to get it from the actual institutions, the same meth-
ods are used to defraud our citizens by phone, and senior citizens
are the most vulnerable because they grew up in a generation that
was polite and didnt just hang up the phone on somebody.
Mr. TURNER. Is there any source of compilation of theft from
bank accounts using any of these methods, or is this the kind of
information banks wouldnt like to talk about too much?
Mr. DOUGLAS. Well, let me give you an example. There was an
information broker by the name, a company called Source One, run
by one individual by the name of Peter Easton out of New York.
The State of Massachusetts has been the most aggressive in this
area. They civilly prosecuted, I think, 10 companies, and he was
the only one that went to trial, and they found thousands of cases
in just his situation alone. Touchtone that I talked about before
from Colorado is currently under a proceeding in the FTC and they
also, when they saw his records, found thousands of these cases.
Docusearch employs 18 people, Touchtone employed 12 or 18 peo-
ple, and these are just one of hundreds or dozens of companies
around the country.
So you could work the statistics backward that way from the few
successful prosecutions and know that this is happening thousands
of times a day around the country, if that is helpful.
Mr. TURNER. Thank you, Mr. Chairman.
Mr. HORN. We thank you. Let me ask just a few questions to the
panel. I might say for my colleagues, if you pick out your voting
card, which is your identity card, the Social Security number you
have is printed on the card. So be careful.
Anyhow, how about the chance to look at H.R. 4049, the Hutch-
inson-Moran bill. Do you have any suggestions on it? There is the
markup of the commission and their purposes and so forth rather
well set out. Dr. Appelbaum, do you have any thoughts on it?
Mr. APPELBAUM. Yes, I do, Mr. Horn. The composition of the
group is laid out in terms of its bipartisan nature. But I think for
the purposes of achieving true privacy protection, it would be im-
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00061 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
58
portant to build into this legislation some balance among the var-
ious actors in this area, since interests are genuinely conflicting
and everyone should be represented. The National Committee on
Vital and Health Statistics, which is similarly charged to explore
this area, has on it, although it was balanced from a partisan per-
spective, no consumer representatives, no patient representatives,
no privacy advocates, and one practicing physician, and it is that
kind of imbalance that we would hope would not occur with this
new and very promising privacy commission proposal.
Mr. HORN. So you are saying in the appointments by the major-
ity leader, minority leader, Speaker, and President, there ought to
be, the kind of person they pick would have some major concern,
maybe, on this particular matter. I dont know how the gentleman
who authored this feels.
Mr. HUTCHINSON. Well, first of all, I agree completely that this
commission should be composed of people that represent a broad
range of the stakeholders in this issue, and second, that they are
openminded to this issue. But the reason that was notwhen we
thought about specifically delineating different representatives on
it that sure enough we will leave somebody out, for one thing, and
the balance of it, and I felt like, and we have talked about this with
Congressman Moran, that the political process would work; in
other words, these stakeholders are going to be asking and putting
pressure on the appointing people to make sure they are rep-
resented on it. I am certainly open, if we need, and we can do that
fairly, to delineate that, but that was the thinking, anyway.
Mr. HORN. You mentioned, Mr. Douglas, in your testimony about
the Colorado case, and you also mentioned what went on in Vir-
ginia. Now, what are the penalties the States have? Have you sort
of taken a look at those? I want to tell the staff on both sides that
the American Law Division will be asked to give us a paper on the
penalties. But I wondered what your experience is; just for this
hearing.
Mr. DOUGLAS. When it comes to the use of pretext and other
means of fraud and deception to gain information, most of the
States have nothing specifically on point. In fact, the Federal Gov-
ernment didnt, until the Financial Information Privacy Act under
Gramm-Leach-Bliley, and that is specific to a very narrow range of
pretext methods used against financial institutions.
As I noted in my written statement, most of the information bro-
kers have figured out, or are either ignoring it or have gone under-
ground, unfortunately, that is quite a few of them, or figured out
other techniques that I am aware of to get around it. Gramm-
Leach-Blileys enactment brought the first Federal criminal provi-
sions ranging from 5 to 10 years, depending upon the dollar
amount involved, or the size of the company. But most of the
States have nothing. There had been really no prosecutions.
There is some argument that Federal or State wire fraud laws
might apply. Perhaps the identity theft law that Congress passed
a year or two ago might apply, but we have seen relatively few
criminal prosecutions at all. In fact, only 1 State criminal prosecu-
tion, no Federal criminal prosecutions, and about 12 civil prosecu-
tions under Deceptive Trade Practices Act types of legislation the
State mirrored on the FDCs regulations, if that is helpful.
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00062 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
59
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00063 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
60
Mr. HORN. All four, the clerk will note, have accepted the oath.
So we will start with Professor Fred Cate, professor of law and
Harry T. Ice faculty fellow at the Indiana University School of Law
in Bloomington. Now, they have a school of law also in Indianap-
olis, dont they?
Mr. CATE. Yes, Mr. Chairman, they do.
Mr. HORN. But is the main one at Bloomington?
Mr. CATE. They would resent the definition of main as being
in Bloomington; there are two separate law schools.
Mr. HORN. Well, you have a beautiful campus there in Blooming-
ton. I was a fellow there for a week, 30 years ago, and it is impres-
sive, what you are doing at Indiana.
Mr. CATE. Thank you, Mr. Chairman.
Mr. HORN. Please proceed.
STATEMENTS OF PROFESSOR FRED CATE, PROFESSOR OF
LAW AND HARRY T. ICE FACULTY FELLOW, INDIANA UNI-
VERSITY SCHOOL OF LAW, BLOOMINGTON; TRAVIS
PLUNKETT, LEGISLATIVE DIRECTOR, CONSUMER FEDERA-
TION OF AMERICA; ARI SCHWARTZ, POLICY ANALYST, CEN-
TER FOR DEMOCRACY AND TECHNOLOGY; AND SANDRA
PARKER, ESQUIRE, DIRECTOR OF GOVERNMENT AFFAIRS
AND HEALTH POLICY, MAINE HOSPITAL ASSOCIATION
Mr. CATE. Thank you very much.
Mr. HORN. As you know, your statements are in the record; sum-
marize it so we have time for questions.
Mr. CATE. I will do so. Let me say for the record, I specialize in
privacy and information law-related issues. I am testifying today
not only as somebody who specializes in that area, but also on be-
half of the Financial Services Coordinating Council, which, as I be-
lieve you know, is an alliance of the principal national trade orga-
nizations in each of the financial services sectors that deal with
issues that cut across those sectors, including privacy.
I think, as the prior panel showed, and something which I be-
lieve all of the members of this committee certainly already knew,
the issue of privacy is not only incredibly urgent, it is also enor-
mously complex. It arises in many different contexts, it involves
many different types of information, it involves use of information
by many different people. As a result, efforts to deal with privacy
issues, whether those efforts are regulatory or legislative or techno-
logical, are themselves also inevitably quite complex, and there are
a great variety of them. It is precisely because of this complexity
and variety that the comprehensiveness of the proposal for a pri-
vacy study commission is certainly laudable. The idea of bringing
together in one place a focus on a wide range of issues is certainly
laudable.
Let me be very specific, however, and offer two comments about
the proposal itself.
One is the issue of what do you do about financial information?
Congress has just in the past year passed the Gramm-Leach-Bliley
Financial Services Modernization Act, that has not even yet been
implemented, regulations are currently pending, and that bill itself
calls for a study to be conducted by the Department of the Treas-
ury. The risk of duplicating that effort or of rewriting one set of
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00064 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
61
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00065 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
62
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00066 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
63
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00067 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
64
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00068 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
65
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00069 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
66
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00070 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
67
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00071 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
68
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00072 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
69
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00073 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
70
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00074 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
71
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00075 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
72
Mr. HORN. Well, thank you very much, Mr. Cate. We will go to
Mr. Plunkett. Mr. Plunkett is the legislative director for the Con-
sumer Federation of America.
Mr. PLUNKETT. Good morning. Thank you very much for the op-
portunity to offer our comments today, Chairman Horn, and Mr.
Turner. We commend the subcommittee for examining this impor-
tant issue.
We agree with everything we have heard so far on the signifi-
cance and urgency of further action on privacy protection for Amer-
icans. I am going to commend Representative Hutchinson, because
we have talked, I have talked with his staff and with him about
our concern here. It is not that we dont see a need for action with
the commission and on privacy, it is just a question for us of what
is the most effective and timely course of action.
I too will focus my comments on financial privacy and on that
issue in particular, we believe that a commission may actually be
harmful, not because of your desire to look at the issue and address
concerns, but because momentum is building right now at the State
and the Federal level to take action soon. Our fear is that it will
stall if a commission is enacted.
Like it or not, if Congress establishes a commission to examine
privacy issues, many will urge, and we have already heard it to
some extent this morning, that all major privacy proposals be stuck
in a deep freeze for 18 months or more. The commission has an
ambitious schedule and they might run a little over while the com-
mission is operating.
We do very much welcome the fact that the sponsors of this bill,
Mr. Hutchinson in particular, see a need for further Federal action
on privacy, and I commend Mr. Hutchinson for highlighting the
need for more comprehensive Federal approaches. The American
people clearly want it. The Wall Street Journal surveyed its sub-
scribers about the most serious issue facing America in the 21st
century, and the top concern was not the economy, education, or il-
legal drugs, it was the loss of personal privacy.
On financial privacy, there is a great deal of research about what
Americans want, very specific research, including a 1999 survey by
AARP, that found that 81 percent of its members oppose the inter-
nal sharing of their personal and financial information with affili-
ates, a key issue I will get to in a minute, and 92 percent oppose
companies selling their personal information.
The erosion of privacy, which we are all aware of and grappling
with, leads not only to annoyances, and I put phone calls from
pushy people at dinnertime in that category, it can be harmful. You
have already heard a great deal about identity theft, which I would
call the signature crime of the Information Age and the anecdotal
evidence you have heard this morning is backed up by research.
Law enforcement officials report a sudden sharp increase in iden-
tity theft.
Another example regarding financial privacy, how this causes
real harm, a bank in Californias San Fernando Valley sold 3.7 mil-
lion credit card numbers to a felon who then allegedly bilked card
holders out of more than $45 million in charges worldwide.
I would point out that consumers and businesses suffer when
Americans are worried about their personal privacy. This is an
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00076 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
73
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00077 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
74
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00078 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
75
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00079 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
76
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00080 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
77
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00081 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
78
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00082 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
79
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00083 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
80
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00084 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
81
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00085 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
82
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00086 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
83
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00087 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
84
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00088 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
85
Mr. HORN. Thank you. We now have Mr. Ari Schwartz, policy an-
alyst for the Center for Democracy and Technology. You might tell
us a little bit about that institution.
Mr. SCHWARTZ. Sure. Thank you, Chairman Horn and members
of the panel. Thank you for inviting me to testify on the Privacy
Commission Act.
CDT believes that the focused privacy commission could help
build privacy protections, but as Representative Hutchinson men-
tioned earlier, it should not be used to derail the current process
on important legislative proposals already in front of Congress.
Before going into detail about how such a commission might
work, I would first like to explain CDTs view of the current state
of consumer privacy. As some of you know, the Center for Democ-
racy and Technology is committed to protecting privacy on the
Internet. Recent studies have shown that individuals are growing
more concerned about their loss of privacy, both on and off line.
These growing concerns are well-founded. Stories of privacy inva-
sions and security gaps in both the private and public sector are
becoming almost daily occurrences. CDT believes that work in
three areas, three legs of a stool if you will, are needed to help re-
verse this trend and build privacy protections for the future.
First, CDT is working with many responsible companies, privacy
experts and technologists on privacy-enhancing technologies which
are necessary to build privacy into the infrastructure of commu-
nications technology such as the Internet and reverse the trend
that we have been seeing so much of with privacy-invasive tech-
nologies. For example, we are working on a standard with the
World Wide Web Consortium called the Platform for Privacy Pref-
erences, or P3P, which would make privacy notices easier to read.
Many companies are beginning to build P3P into their Internet
products. For example, last week Microsoft announced that it has
plans to implement P3P in its upcoming consumer software prod-
ucts. Self-regulatory efforts by industry are also important to en-
sure enforcement on the Internet. As the economy becomes more
global and decentralized, responsible practices become an increas-
ingly important tool.
Last, we believe that there is a role for Congress. Legislative ap-
proaches are needed. Without the means to imbed fair, predictable
results, better encourage self-regulation, or go after bad actors in
law, CDT fears that the actions of a single company could cause
the public to question the motives of an entire industry. For the
reasons that we have heard today, this is especially important in
the financial, health and Internet areas.
Congress must move forward in these areas in particular.
A commission such as the one proposed could help learn how to
protect privacy. In fact, over the past 30 years, we have seen var-
ious kinds of commissions at the U.S. Federal level. I have detailed
those in my written testimony in the appendix. However, while the
theoretical work of these commissions and panels have pushed pri-
vacy forward worldwide, the U.S. consumers have very little to
show for it. Therefore, we urge you not to duplicate the work of
those past committees and panels, but to move forward and focus
the panel on issues that have not been studied.
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00089 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
86
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00090 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
87
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00091 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
88
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00092 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
89
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00093 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
90
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00094 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
91
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00095 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
92
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00096 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
93
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00097 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
94
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00098 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
95
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00099 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
96
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00100 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
97
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00101 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
98
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00102 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
99
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00103 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
100
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00104 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
101
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00105 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
102
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00106 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
103
Mr. HORN. Thank you very much. We will get back to questions.
Our last panelist on panel two is Sandra Parker, esquire, Direc-
tor of Government Affairs and Health Policy, the Maine Hospital
Association. Thank you for coming down.
Ms. PARKER. Thank you for having me, Chairman Horn. We rep-
resent 38 main hospitals and their affiliated entities. I am here
today to tell you about Maines experiences in legislatively protect-
ing the confidentiality of health care information, a small subset of
the information referenced in H.R. 4049, but one that is particu-
larly near and dear to us.
Our members, and I think everyone in this room firmly believes
that health care information is very private and it needs to be pro-
tected against inappropriate disclosures. Dr. Appelbaum did a fine
job explaining the reasons and concerns people have, and I am not
going to reiterate any of them, but I will tell you in recognition of
those concerns, our hospitals have always had policies in place to
protect the information, because we think it is important, and we
will continue to have the policies, no matter what happens in Au-
gusta, ME or Washington, DC.
The Maine Legislature agreed with us. In fact, they wanted to
see every health care practitioner have those practice and policies
in places to protect the information, and they felt that the Maine
citizens would benefit from a statewide consistent privacy standard
in applying to everyone. So they began.
In January 1997, they took up the very difficult task of translat-
ing those protective ideals into legislative language. Their initiative
would apply only to health care providers in an effort to protect
health care information at its source. Respecting the complexity of
the task before them, they worked with a professional facilitator
and met every 2 weeks with interested parties and a facilitator to
exhaustively study the issue and try to anticipate all of the con-
cerns. They worked through the spring, they worked through the
summer, they worked through the fall and into the next year. Our
dedicated legislators worked for 2 years to develop a bill just on
health care information and studied it extensively.
Still, consensus was hard to find, and it wasnt until the final
hours of the session in the 1998 session that a compromise bill was
quickly passed through the House and Senate. It was to be effec-
tive January 1, 1999.
As we reviewed the bill and prepared to help our members com-
ply with the anticipated new law, we began to uncover some unin-
tended and troublesome consequences, despite their extreme hard
work.
I would like to just briefly illustrate a couple of those, nowhere
near what is in my written statement, but just a quick illustration.
To do that, I need to tell you three provisions of the law. First,
health care information is defined very broadly and intentionally
so. They didnt want any health care information to fall through
the cracks. So they defined it as any information that identifies an
individual directly and relates to their physical, mental, behavioral
condition, medical treatment, personal or family history. It sounds
like a terrific definition. We still stand by it, but it caused us some
problems.
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00107 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
104
The second piece I would like you to know is that with certain
exceptions, the law required written authorization from the patient
or their legally appointed representative before any disclosures
could be made. Again, that sounds terrific, and again, it gave us
some problems I would like to tell you about.
The third piece you need to know is that written authorization
is a defined term in our statute. They specifically denote the ele-
ments of a valid authorization and nothing else will do. It must be
written and it must have those elements.
Well, nowhere in the law did they reference directory informa-
tion, and what I mean by that is if you find out that your good
friend Sandra Parker is in the hospital and you call the medical
center and ask how I am doing they tell you that I am in room 222
and in satisfactory condition. Our law never mentioned directory
information, but confirmation that I am in the hospital and saying
that I am in satisfactory condition relates to my medical treatment
and physical well-being and, therefore, falls within the definition of
health care information, therefore requires written authorization
from me specifically in order to release it. So, that is what we did.
There were delays, however, and when people were in the emer-
gency room and they hadnt gotten to their routine paperwork yet
and they said to their care giver could you go out and get so and
so from the waiting room, we would have to say, well, no, we cant,
because we cant tell them you are here until we get to the paper-
work and sign the forms. They could not tell us. Oral authorization
was not enough, it had to be written. Unless and until that paper-
work was done, visitors couldnt be directed, clergy couldnt be
called, phone calls couldnt be transferred, flowers couldnt even be
accepted.
It sounds like a good idea, but in practice we received many,
many complaints about it.
The idea that oral authorizations were not allowed was a prob-
lem for us. Maine residents often spend the harsh winter months
in more temperate climes and would like to call their physicians or
hospitals and get their medical records transferred and that option
was completely removed from their control. They now had to get
a special form with statutorily required elements, fill it out, sign
it, date it, send it back to their provider before the provider could
direct the records to the right place.
The other major problem that we had was that the authorization
of disclosure was given only to the patient and their legally ap-
pointed representative. That was also done intentionally, for good
reason. We dont want anyone else to have control of that informa-
tion. However, many, many people dont have legally appointed
representatives, and by that I mean a guardian, a court-appointed
guardian, someone with power of attorney, someone under an ad-
vanced directive statute. What we found was that when people
didnt have a representative, a legally appointed representative and
were unable to sign their paperwork, because they were too ill,
they were medicated, they had a stroke, whatever it was, we had
nowhere to go. We could release no information to anybody under
any circumstances.
So despite great effort, there were some problems. We ap-
proached the sponsor of the bill and we worked with her to amend
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00108 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
105
it, and we submitted a bill, but before the legislature could reach
our bill, the law went into effect on January 1, as scheduled, and
the day it went into effect, the legislators constituents began to
call, and they called, and called and called and complained, so
much so, so adamantly so, that the legislature suspended the law
after it was in effect for just 2 weeks and went back to the drawing
board. There was extensive discussions about maybe not going for-
ward at all, maybe we should wait for a Federal law, maybe we
didnt need it, maybe it was an impossible task. But it was so im-
portant, so, so very important that the legislators, to their credit,
gave it another try. They worked on it for 6 more months and
amended the law.
The amended law went into effect February 1, just a couple of
months ago. So far, it seems to be effectively protecting information
without provoking consumer outrage. Perhaps we will have more to
do. We are still learning our lessons. But it is something that ev-
eryone in Maine believes in, and we will keep trying. It is that im-
portant.
Thanks.
[The prepared statement of Ms. Parker follows:]
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00109 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
106
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00110 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
107
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00111 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
108
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00112 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
109
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00113 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
110
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00114 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
111
Mr. HORN. Well, I thank you for those answers. I noticed in one
of the papers here, I believe it was Mr. Schwartz one, where you
noted the updating of the Privacy Act of 1974, and you made a
point here that the quote, to make matters worse, the Office of
Management and Budget has not updated its Privacy Act guidance
since a year after the act was passed.
What do you feel is the reason for that, and what do you think
they ought to do in updating?
Mr. SCHWARTZ. Well, it has only been a year since the OMB has
gotten a Chief Counsel for Privacy, so hopefully we are moving
down that path. This past year we also had all of the agencies right
there on Privacy Act implementation, where they stand on the re-
ports, and the OMB and the Chief Counsel for Privacy in particular
will be handing out a final report based on those to the Congress.
Also, GAO is looking into privacy-owned government Web sites,
another important issue that should be covered by the Privacy Act
more than it is, but as I said in my written statement, the Inter-
netthe Privacy Act wasnt designed with the Internet in mind. So
we really do need to reexamine the Privacy Act. I think this kind
of commission would be a perfect venue to do that, and it certainly
would be great to have more oversight hearings on the Privacy Act
when OMBs report moves forward.
Mr. HORN. Mr. Plunkett, is there legitimate need to exchange in-
formation between the banks and third-party affiliates, specifically
for the various life needs, like check printing and credit billing in
small community banks, and wouldnt you agree that these need to
be known before laws are enacted which could have unintended
consequences, which could cripple entities such as the small com-
munity banks?
That is a question that Mr. Hutchinson has left for me to ask,
because he had to go to another meeting.
Mr. PLUNKETT. That is a good question. The legislation that Mr.
Markey and Mr. Barton have introduced allows for explicit ap-
proval for the financial institutions to share information when it is
for the intended purpose; that is, if you are opening up a checking
account, they can certainly share your checking account informa-
tion to those that are printing your checks. That is a fairly, I think
a fairly easy problem to fix and absolutely there is a legitimate rea-
son in that circumstance to share information.
Mr. HORN. Any other comments on that by anybody? Professor
Cate.
Mr. CATE. If I may just say, Mr. Chairman, I think the difficulty
here is that there are a lot of uses that we might consider valuable
that arent that immediately obvious. For example, fraud preven-
tion or detection, monitoring accounts to determine if there are
charges out of the ordinary, monitoring an account to determine
whether that customer is speaking to a balance in a noninterest-
bearing accountthese are all things which we could debate on
whether it is within the purpose for which the person originally
disclosed the information. I think we would also all consider them
to be valuable uses. I think this really sort of highlights the com-
plexity here.
I obviously disagree that this issue has been thoroughly and well
studied and we now know what to do and should do it. I think the
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00115 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
112
fact that you have 22 States that have introduced 22 different bills,
none of them agree on what to do and how to do it, and in fact a
large part of that is that we have so little sense, I think exactly
what the Maine experience showed. It was easy to focus on the pri-
vacy side; it was very hard to focus on what are all the valuable,
useful things we do with useful information every day that we
dont want to put a stop to.
Mr. HORN. Thank you. Well, thank you. I just have one question
before I yield to Mrs. Maloney.
Some of you have had experience on the privacy laws abroad,
and I am curious what your thinking is on the European Commu-
nitys privacy laws. You will recall the European Community asked
all of their Member States to put together a privacy law about 2
years ago, and then they put it off for a while, and there were real
concerns in this country in terms of the free flow of data between
corporations of the United States subsidiaries in Europe and Euro-
pean subsidiaries in the United States, and that was one of the
reasons they put it off.
I just wondered what your thinking is there, and would that
have made a major impact on the economy. Again, they wanted, I
guess even a census date that the individual signed the form,
which sounded a little much. But go ahead.
Mr. CATE. Well, Mr. Chairman, thank you. I think the answer is
absolutely it would have made an enormous impact on not only the
economy of international trade between the United States and Eu-
rope, but also within Europe, which is probably why Europe has
really not implemented the directive. Half of the countries havent
implemented it at all, they have not even made the pretense of im-
plementing it. The others have implemented laws which we are
told by data protection commissioners in Europe are not being en-
forced currently.
So, for example, if you read the law, what is the law today in
England, Greece, or Portugal, it would tell you that the law is opt
in affirmative consent. You must get consent, for example, from
every employee in writing before you process their data. What we
know is that is not taking place in any of those countries, that in
fact they are simply using a slightly different mechanism than we
use. We tend to write exceptions into law; they are simply putting
those exceptions into practice.
Mr. HORN. Any comments on that, Mr. Plunkett?
Mr. PLUNKETT. I would note that in the so-called safe harbor ne-
gotiations, many of the same entities, financial institutions in par-
ticular, that talk about the expense of complying with meaningful
privacy protections, and by that I mean privacy protections that ex-
tend to affiliates which I spoke about earlier and information-shar-
ing to affiliates, many of the same companies that are objecting
there are willing to go along with an agreement that is close to
being consummated, the so-called safe harbor agreement, that will
provide European customers of American institutions with greater
privacy protection than with American customers.
Mr. HORN. Now I yield to the gentlewoman from New York. It
is good to see her here, a former ranking member.
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00116 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
113
Mrs. MALONEY. Great to see you, Mr. Horn, and thank you for
calling this important hearing. I would like to request that my
opening statement be put in the record.
Mr. HORN. Without objection, it will be put where all the opening
statements were, as if read.
Mrs. MALONEY. Thank you. Then I would like to just ask a few
questions. I am not against this bill, but I hope that the intent is
not to stop other protections from going forward, and the protec-
tions that we already have in place.
Last year, as a member of the Banking Committee, I had an op-
portunity to participate in the conference on the Gramm-Leach-Bli-
ley Financial Services Reform Act where we had a considerable de-
bate over issues related to the privacy of financial institutions and
passed some privacy protections for consumers of financial institu-
tions. These regulations have not even been in place yet. Shortly
over 2 billion consumers will be receiving privacy notices in the
mail, and my question is, would this commission in any way halt
or hinder this work that we have already done? This commission?
Mr. CATE. Well, if I can speak to that, I would say certainly, you
know, our view is that it should not.
Mrs. MALONEY. So it would not. Is that clear in the bill?
Mr. CATE. I believe there is no language in the bill that would
suggest it has the power to stop the implementation or that it is
the intent of Congress to stop the implementation of any existing
law. You might even argue further, I mean this would suggest to
me why, if the commission goes forward, you would probably want
people on it, some of the members of it, to be involved in the imple-
mentation of that law, to bring the experience of that process to the
commission.
Mrs. MALONEY. I would like to mention
Mr. PLUNKETT. Could I respond as well?
Mrs. MALONEY. Sure. Anybody can comment.
Mr. PLUNKETT. I would agree that the intent of the act is not to
inhibit implementation of the Gramm-Leach-Bliley act. I would
note, though, that the regulations that are ongoing dont deal with
the significant flaw in the act that these State bills and the Federal
bills have identified, which is the affiliate-sharing loophole.
Mrs. MALONEY. But a number of States are going forward with
their initiatives, as I understand it, is that correct?
Mr. PLUNKETT. Well, they are moving through the process, in-
cluding in New York, from what I understand.
Mrs. MALONEY. Now, I would like to ask about another issue. We
actually had several hearings on this particular matter, the Health
Insurance Portability Act, a 1996 act. It provided that if Congress
was not able to reach consensus and enact legislation on medical
privacy by August 1999, the Secretary of Health and Human Serv-
ices would come forward with medical privacy regulations to ensure
that Federal medical privacy protections are in place. Since Con-
gress failed to meet the August 1999 deadline, the Secretary is
now, as we sit here, in the process of finalizing medical confiden-
tiality regulations.
I would just like to ask the members of the panel, do you believe
that if a privacy commission were created, the administration
should delay moving forward with these regulations until after the
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00117 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
114
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00118 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
115
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00119 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
116
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00120 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
117
no way want to hinder the work going forward from the 1996
Health Insurance Portability Act on privacy and also the work of
the Banking Committee on the Gramm-Leach-Bliley, so that it
doesnt hinder this work going forward.
Mr. HORN. We are going to have a markup on this. That might
come up there. I will tell you, if this commission doesnt pass, there
wont be much passed, because they have had numerous privacy
bills in the Senate, in the House; they have gone nowhere, except
the one on the banking and the human services regulations issued
by the Secretary. So I look on it the other way, that this is the way
to get a privacy law on the book, is get that commission moving.
I thank the gentlewoman for being here.
The last word I will give to the prime author of the legislation,
Mr. Hutchinson. I want to say that both the Democratic side and
the Republican side will be forwarding you and the first panel some
questions that we havent been able to get to. We hope you will
write the answers and they will go in this part of the record.
In addition, we will keep the record open to any citizen for the
next 2 weeks, roughly 14 days.
So please send it to the staff. It is B373, I believe. The chief
counsel and staff director, Mr. George, is over there, and we will
work it out with everybody as to the questions and they will go into
the official record.
So I now yield for the last word on this subject for 5 minutes to
the gentleman from Arkansas.
Mr. HUTCHINSON. I thank the Chairman. Again, I want to ex-
press my appreciation for this hearing, your willingness to schedule
a markup on this legislation. I just want to make a couple of com-
ments. First, I want to thank Ms. Parker for being here and testify-
ing on this and giving us the experience from Maine. I think that
is very instructive and helpful as we look at this in Congress and
our responsibility.
There has been some questions about the criteria for member-
ship, and I would emphasize that, you know, this can be changed;
obviously, that is what the markup is for, and if wisdom prevails
that we ought to specify different criteria for involvement in this
commission, then I am certainly open to that. But the reason that
was not included is, as I stated before, there is always a fear of
leaving someone out. I can just see itemizing who should belong to
this commission and someone coming up and saying, well, how
about our group, or how about this particular stakeholder. So you
start down a risky path.
The other reason is that it is consistent with other commissions
in the past that you leave the particular makeup of the commission
to the appointing officials and allowing a bipartisan consensus to
develop on it. So I would expect that all of the important stakehold-
ers should be and will be represented on the commission. But
again, if we need to be more specific than that, then that might be
an option.
The second issue, and I want to talk to Mr. Plunkett for a mo-
ment, and I very much appreciate your testimony today, and I spe-
cifically wanted you on this panel because I knew you disagreed
with the commission. I think it is important as you consider legis-
lation that you hear from both sides. I appreciate your work on pri-
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00121 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
118
vacy. You and I can get together and we can push some of these
bills through and we can get some passed this session, but there
are a lot of other players out there, and I think in fact because it
could be a short legislative session, it is going to be difficult, as the
chairman said, to develop a consensus on an individual bill. But it
is very important that this not be used as an excuse not to continue
passing some privacy regulations or some privacy initiatives.
I see this as complementary. If you passed everything on your
wish list, Mr. Plunkett, this year, I still think we need a privacy
commission, because you still have on-line privacy issues, you have
developing technology, you have got new criminals out there that
create new methods of invading someones privacy. So I think that
we need to see how the laws that we passed are going to work, we
need to see how the FTC and the other regulations that are being
considered on financial privacy, how they are working out there,
and that is part of the function of this commission, to see what sup-
plementary we need to do.
For example, Mr. Plunkett, I mean there is the opt-in, opt-out
question right now, am I correct?
Mr. PLUNKETT. Oh, yes.
Mr. HUTCHINSON. And so if there is notI mean the regulations
that are going to be adopted are going to be under thewhere you
have to specifically opt out, is that correct?
Mr. PLUNKETT. In some cases. In other cases it wont be allowed,
yes.
Mr. HUTCHINSON. So if you want to change that, unless we pass
some legislation, the commission would have to look at that.
Now, I think the debate was whether we should even look at that
at all, because it is already under consideration by an ongoing reg-
ulatory body, and I think that is a fair consideration we need to
talk about some more. But regardless of what we pass, I see the
need for a commission to look at the new challenges in the future,
and to look at it comprehensively rather than just sectorially, what
are we doing in financial privacy, what are we doing in health care
records and what are we doing with on-line. It intersects and cross-
sections each other. So that was the purpose of it.
I know that was a little bit of a speech
Mr. PLUNKETT. After my speech, you have a right.
Mr. HUTCHINSON. So thank you again, Ms. Parker and gentle-
men, for your testimony today. I yield back, Mr. Chairman.
Mr. HORN. I thank the gentleman very much. I hear the gentle-
woman from New York has one question.
Mrs. MALONEY. Mr. Chairman, I have another item that really
came out of the Banking Committee and I would like to ask Mr.
Hutchinson for clarification. I would like to see it in this bill, and
I am waiting to see the final language, but I am not against this
bill and will probably support it.
But one thing that we were very concerned about is that each
State is different in their financial services, very different. So
States wanted the freedom to come forward with stricter provisions
and insurance or privacy or banking or their own special needs,
and in your bill, do you see that this would not in any way hinder
the ability for States to go forward with stricter provisions?
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00122 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
119
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00123 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
120
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00124 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
121
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00125 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
122
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00126 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
123
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00127 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
124
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00128 Fmt 6633 Sfmt 6633 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1
125
VerDate 11-MAY-2000 09:28 Mar 27, 2001 Jkt 000000 PO 00000 Frm 00129 Fmt 6633 Sfmt 6011 C:\DOCS\70436.TXT HGOVREF1 PsN: HGOVREF1